最后更新于2024年3月4日星期一21:18:46 GMT
2月19日, 2024 ConnectWise disclosed two vulnerabilities in their ScreenConnect remote access software. 这两个漏洞都影响screenconnect23.9.7点及更早. Neither vulnerability had a CVE assigned at time of disclosure, 但从2月21日起, CVEs have been assigned to both issues mentioned in ConnectWise’s 咨询:
- cve - 2024 - 1709: An authentication bypass using an alternate path or channel (CVSS 10)
- cve - 2024 - 1708: 路径遍历问题(CVSS 8).4)
ScreenConnect is popular remote access software used by many organizations globally; it has also been 被对手滥用 在过去. 似乎有一些 7500 +实例 在公共互联网上曝光的屏幕连接. 漏洞不是 known to be exploited in the wild when they were disclosed, but as of the evening of February 20, ConnectWise已经 表示 they have confirmed compromises arising from exploitation of these vulnerabilities. Rapid7 管理检测和响应 (耐多药) has also observed successful exploitation in customer environments.
Security news media 和 security vendors are raising strong alarms about the ScreenConnect vulnerabilities, largely because of the potential for attackers to exploit vulnerable ScreenConnect instances to then push ransomware to downstream clients. This may be a particular concern for managed service providers (MSPs) or managed security services providers (MSSPs) who use ScreenConnect to remotely manage client environments.
缓解指导
All versions of ConnectWise ScreenConnect before 23.9.8容易受到这些(CVE-less)问题的影响. Customers who have on-premise ScreenConnect instances in their environments should 应用 the 23.9.8更新 在紧急情况下,每 ConnectWise的指导. The vendor has also published several indicators of compromise (IOCs) in their 咨询 that organizations can hunt for. Rapid7 strongly recommends looking for signs of compromise even after the patch has been applied.
ConnectWise have also removed licensing restrictions to allow partners to update to supported systems, 他们做到了 更新他们的建议 to note the following: "ConnectWise已经 rolled out an additional mitigation step for unpatched, on-premise users that suspends an instance if it is not on version 23.9.8岁或以后. If your instance is found to be on an outdated version, an alert will be sent with instructions on how to perform the necessary actions to release the server."
Rapid7客户
InsightVM 和 Nexpose customers can assess their exposure to these vulnerabilities with authenticated vulnerability checks available in the February 21 content release.
InsightIDR 和 管理检测和响应 customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes 和 proper detection coverage. Below is a non-exhaustive list of detections deployed 和 alerting on activity related to these vulnerabilities:
- Suspicious Web Requests - Possible ConnectWise ScreenConnect Exploitation
- Attacker Technique - Remote Access Via ScreenConnect
- Attacker Technique - Comm和 Execution Via ScreenConnect
- Suspicious Process - ScreenConnect with RunRole Argument
- Attacker Technique - ConnectWise ScreenConnect Exploit Adding a New User
注意: 为了让Rapid7对规则发出警报 Attacker Technique: ConnectWise ScreenConnect Exploit Adding a New User, customers will have to ensure that a host's Advanced Security Audit Policy Settings for Kernel Object is configured to log Windows EventID 4663 和 have a SACL set on ScreenConnect's directory. More information on how to configure the Advanced Audit Policy is available 在这里.
迅猛龙的神器 可以在这里 to assist in hunting for indicators of compromise. Metasploit模块是 可以在这里 (等待最终的合并和发布).
更新
2024年2月21日: Updated to include CVEs (cve - 2024 - 1708, cve - 2024 - 1709) 和 to note 野外开发. Rapid7 耐多药 has also observed exploitation in customer environments. Updated with availability of vulnerability checks to InsightVM 和 Nexpose customers.
2024年2月22日: New detection rule added for InsightIDR 和 耐多药 customers (Attacker Technique: ConnectWise ScreenConnect Exploit Adding a New User)
2024年2月23日: 伶盗龙 artifact now available, Metasploit module in development. Changes to ConnectWise 咨询 guidance have been added to the 缓解指导 本博客的一部分.
